Microsoft’s July 14, 2026 security updates close a memory disclosure vulnerability in the Windows Print Spooler service that could let a local attacker read information they shouldn’t see. The bug, tracked as CVE-2026-57085, scored a CVSS 5.5 (Medium) and requires authenticated local access with low privileges. There’s no remote exploit path, no code execution, and no elevation of privilege baked into the vulnerability itself.
The flaw is an out-of-bounds read—CWE-125 in the National Vulnerability Database’s classification—that can be triggered within the Print Spooler components. If successfully exploited on a target machine, it may allow an attacker to pull fragments of sensitive data from protected memory regions. Think application secrets, authentication tokens, or internal configuration details that could be stitched together for a more sophisticated attack down the line.
The fix is practical: install July’s cumulative updates. But for IT teams managing fleets of multi-user servers, virtual desktops, or print servers, there are nuances that make this patch more urgent than a garden-variety medium-severity bulletin. And for anyone who has lived through the PrintNightmare era, the words “Print Spooler vulnerability” still trigger a reflexive pause. Here’s what has actually changed, who needs to move fastest, and the steps that go beyond a simple patch deployment.
The Vulnerability at a Glance
CVE-2026-57085 is an information-disclosure flaw—not a remote code execution bug and not an elevation-of-privilege gateway. Attackers cannot use it to write to the file system, crash the service, or pivot to SYSTEM without an entirely separate exploit chain. The damage is confidentiality: accessing memory that isn’t theirs.
Microsoft’s advisory states the attack vector is local, complexity is low, and privileges required are low. That translates to a logged-in user—even one with minimal rights—potentially running code that tricks the spooler into reading beyond a buffer’s boundary and coughing up sensitive data. No user interaction is required beyond the initial logon. The scope is unchanged, meaning the vulnerable component and the affected resource reside in the same security boundary.
That picture is a far cry from PrintNightmare (CVE-2021-34527), which combined remote code execution and local privilege escalation into a critical, wormable nightmare. PrintNightmare was exploited in the wild within days; CVE-2026-57085 has not been linked to any active campaigns as of the July 14 disclosure. CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) assessed exploitation as “none,” automatable as “no,” and technical impact as “partial.” Those are hazard markers, not future-proof promises, but they provide useful triage guidance for patch managers juggling dozens of July fixes.
Still, an information leak from a ubiquitous Windows service isn’t benign. Memory disclosure bugs have historically aided attackers by exposing kernel pointers, enabling address space layout randomization (ASLR) bypasses, or revealing cryptographic material. Defenders should fix them with the same rigor applied to any vulnerability with a “high” confidentiality impact rating—especially on systems that routinely host sessions from multiple local users.
Who Needs to Act and How
The patches are baked into the July 2026 cumulative updates for both client and server Windows releases. There’s no standalone Print Spooler hotfix; you get the fix by deploying the full monthly update. The table below gathers the key platforms and their patched build numbers from Microsoft’s security update guide.
| Platform | July 14, 2026 Update | Patched Build |
|---|---|---|
| Windows 11 24H2 | KB5101650 | 26100.8875 |
| Windows 11 25H2 | KB5101650 | 26200.8875 |
| Windows 11 26H1 (Preview) | KB5101649 | 28000.2525 |
| Windows 10 21H2 / 22H2 | KB5099539 | 19044.7548 / 19045.7548 |
| Windows Server 2016 | KB5099535 | 14393.9339 |
| Windows Server 2019 | KB5099538 | 17763.9020 |
| Windows Server 2022 | KB5099540 | 20348.5386 |
| Windows Server 2025 | KB5099536 | 26100.33158 |
Windows Server 2012 and 2012 R2 are also affected and receive fixes through their respective servicing packages. Administrators with valid Extended Security Updates (ESU) licenses must ensure those systems are updated as part of their regular patch cycle.
One small note for Windows 11 25H2 users: Microsoft’s public metadata references a servicing relationship that doesn’t perfectly align with the 26200 build string listed separately. That’s a documentation quirk rather than a patch gap. The practical action is the same—install KB5101650 and confirm build 26200.8875.
The Real-World Risk
What separates this CVE from the stuff of IT admin nightmares? It’s local. An attacker must already have code execution as an authenticated user on the box. In a typical single-user laptop scenario, that attacker is likely the owner—a much less interesting threat. The risk rises sharply in environments where multiple users share the same operating system instance: terminal servers, virtual desktop infrastructure (VDI) hosts, shared kiosk machines, and jump boxes. On a Windows Server that doubles as a print server for an entire department, a low-privilege user could probe the spooler and perhaps vacuum up data belonging to other users or services.
The absence of an integrity or availability impact means a successful exploit won’t directly alter files or cause blue screens. But a determined attacker can use leaked memory contents to map out the target’s software landscape, extract plaintext credentials cached by other processes, or gather information that makes a subsequent privilege escalation effort simpler. Security researcher often liken such bugs to small cracks that, combined with other cracks, shatter the window.
CISA’s triage data—exploitation: none, automation: no—should temper the impulse to treat this like a zero-day response. At the same time, it emphatically shouldn’t be buried under “low priority” on the basis of a 5.5 score alone. Many organizations use CVSS as a starting point but layer on contextual risk: does this system host sensitive data? Do multiple low-privilege accounts log on interactively? If the answer is yes, CVE-2026-57085 deserves an expedited patch timeline, likely within the same 7–14 day window you’d apply to non-critical security updates.
Why Print Spooler Keeps Making Headlines
If PrintNightmare taught the industry anything, it’s that the Windows Print Spooler is an enormous, decades-old codebase that handles untrusted driver data, parses complex file formats, and runs with elevated privileges on almost every Windows machine on the planet. It’s a perfect storm for vulnerabilities. Since July 2021, Microsoft has patched multiple critical and important spooler bugs, and the company publicly acknowledged it is “rearchitecting” the spooler to reduce its attack surface. That work is ongoing.
CVE-2026-57085 is not a sign that the rearchitecture has failed or that a new wave of spooler exploits is imminent. It’s a reminder that deeply embedded components accumulate technical debt, and even as Microsoft redesigns them, the current codebase still needs regular scrutiny. The out-of-bounds read patched this month may well be a bug that has existed for years, dormant until someone probed the right boundary.
For the defender, the lesson is straightforward: when the patch arrives, apply it quickly—especially on servers that host the Print Spooler service. And don’t let the familiarity of “Print Spooler” in a CVE title desensitize you to the nuance of each disclosure.
Your Action Plan: Beyond Just Installing Updates
1. Deploy the July 2026 cumulative updates without delay on all devices that have the Print Spooler service running. Enterprise patching tools—Windows Update for Business, WSUS, Microsoft Configuration Manager, Intune—can push the updates to targeted rings. If you normally phase rollouts, consider accelerating the timeline for shared-server and VDI pools.
2. Verify the build number after patching. A green check in Windows Update is not enough. Use winver on local machines or query Get-HotFix/Get-ComputerInfo via PowerShell to confirm the exact build from the table above. Devices that are stuck on a deferral policy, hit a safeguard hold, or use offline servicing may report “up to date” despite lacking the July fixes.
3. Audit your Print Spooler footprint. If a server or endpoint has no business printing, disable the service. This is a hardening practice Microsoft has recommended for domain controllers and other sensitive roles for years, but it’s still frequently overlooked. Disabling the spooler on a domain controller, identity server, or dedicated application host eliminates the local attack vector entirely—for this CVE and any future spooler bugs.
4. On systems that must run the spooler, tighten local account hygiene. Since the vulnerability requires local interactive access, scrutinize who has the right to log on locally. Use Group Policy or local security policy to restrict “Allow log on locally” to specific administrator groups. On multi-user hosts, ensure that automated user profile cleanup and session limits are configured to reduce the attack window.
5. Monitor for anomalous Print Spooler activity. Although no public exploit exists as of this writing, unusual spooler restarts, unexpected driver installations, or error events related to memory access could indicate probing. The Windows Event Log (PrintService operational log and System log) can be forwarded to a SIEM for correlation.
6. Don’t skip change-control testing. July’s cumulative updates bundle a range of non-security fixes. For example, the Windows Server 2022 release notes mention a security hardening change affecting applications that use sockets over unregistered third-party TDI transports. Test the full update against your line-of-business applications, not just the print subsystem.
What Comes Next
CVE-2026-57085 will likely fade from the headlines faster than PrintNightmare did, but it should stay on the radar of security teams as a marker for how they handle medium-severity local disclosure bugs in high-exposure services. Microsoft’s ongoing spooler rearchitecture promises a more resilient design, yet the timeline for that overhaul remains unspecified. Until then, expect a steady trickle of Print Spooler CVEs—some critical, some moderate—each requiring the same basic discipline: patch promptly, verify thoroughly, and shrink the service’s footprint everywhere you can.
The July 2026 updates are available now. The question isn’t whether this vulnerability is the next PrintNightmare—it isn’t—but whether every machine that runs the spooler will actually land on its patched build before someone, somewhere, decides to take a closer look at what leaked memory might reveal.